Trying to build an SSH honeypot in C - c

I'm trying to write a honeypot in C to replicate an SSH session. I'm aiming for a low interaction honeypot (similar to Kippo).
The idea is: client connects to honeypot via SSH, honeypot then understands and responds to pre-defined commands (e.g. wget, env etc).
The bit I'm stuck on is creating the initial SSH connection. I've read through the RFC for SSH to get an understanding of how SSH session are initiated. Then I've been looking at the libraries OpenSSH, libssh and libssh2 - but I can't see how to initiate an SSH session similar to sshd.
Not sure if I can use the sshd service to create the SSH session and then run the honeypot from that?
Hope that makes sense. Any help on this would be much appreciated.

Think I found what I was looking for: libssh. There's a good example on their github page of how to implement an ssh daemon in C: https://github.com/substack/libssh/blob/master/examples/samplesshd.c
For a basic SSH honeypot implementation in C there's project on github called sshpot by Pete Morris (https://github.com/PeteMo/sshpot):
#include "config.h"
#include "auth.h"
#include <libssh/libssh.h>
#include <libssh/server.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#include <getopt.h>
#include <errno.h>
#include <sys/wait.h>
#define MINPORT 0
#define MAXPORT 65535
/* Global so they can be cleaned up at SIGINT. */
static ssh_session session;
static ssh_bind sshbind;
/* Print usage information to `stream', exit with `exit_code'. */
static void usage(FILE *stream, int exit_code) {
fprintf(stream, "Usage: sshpot [-h] [-p <port>]\n");
fprintf(stream,
" -h --help Display this usage information.\n"
" -p --port <port> Port to listen on; defaults to 22.\n");
exit(exit_code);
}
/* Return the c-string `p' as an int if it is a valid port
* in the range of MINPORT - MAXPORT, or -1 if invalid. */
static int valid_port(char *p) {
int port;
char *endptr;
port = strtol(p, &endptr, 10);
if (port >= MINPORT && port <= MAXPORT && !*endptr && errno == 0)
return port;
return -1;
}
/* Signal handler for cleaning up after children. We want to do cleanup
* at SIGCHILD instead of waiting in main so we can accept multiple
* simultaneous connections. */
static int cleanup(void) {
int status;
int pid;
pid_t wait3(int *statusp, int options, struct rusage *rusage);
while ((pid=wait3(&status, WNOHANG, NULL)) > 0) {
if (DEBUG) { printf("process %d reaped\n", pid); }
}
/* Re-install myself for the next child. */
signal(SIGCHLD, (void (*)())cleanup);
return 0;
}
/* SIGINT handler. Cleanup the ssh* objects and exit. */
static void wrapup(void) {
ssh_disconnect(session);
ssh_bind_free(sshbind);
ssh_finalize();
exit(0);
}
int main(int argc, char *argv[]) {
int port = DEFAULTPORT;
/* Handle command line options. */
int next_opt = 0;
const char *short_opts = "hp:";
const struct option long_opts[] = {
{ "help", 0, NULL, 'h' },
{ "port", 1, NULL, 'p' },
{ NULL, 0, NULL, 0 }
};
while (next_opt != -1) {
next_opt = getopt_long(argc, argv, short_opts, long_opts, NULL);
switch (next_opt) {
case 'h':
usage(stdout, 0);
break;
case 'p':
if ((port = valid_port(optarg)) < 0) {
fprintf(stderr, "Port must range from %d - %d\n\n", MINPORT, MAXPORT);
usage(stderr, 1);
}
break;
case '?':
usage(stderr, 1);
break;
case -1:
break;
default:
fprintf(stderr, "Fatal error, aborting...\n");
exit(1);
}
}
/* There shouldn't be any other parameters. */
if (argv[optind]) {
fprintf(stderr, "Invalid parameter `%s'\n\n", argv[optind]);
usage(stderr, 1);
}
/* Install the signal handlers to cleanup after children and at exit. */
signal(SIGCHLD, (void (*)())cleanup);
signal(SIGINT, (void(*)())wrapup);
/* Create and configure the ssh session. */
session=ssh_new();
sshbind=ssh_bind_new();
ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_BINDADDR, LISTENADDRESS);
ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_BINDPORT, &port);
ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_HOSTKEY, "ssh-rsa");
ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_RSAKEY,RSA_KEYFILE);
/* Listen on `port' for connections. */
if (ssh_bind_listen(sshbind) < 0) {
printf("Error listening to socket: %s\n",ssh_get_error(sshbind));
return -1;
}
if (DEBUG) { printf("Listening on port %d.\n", port); }
/* Loop forever, waiting for and handling connection attempts. */
while (1) {
if (ssh_bind_accept(sshbind, session) == SSH_ERROR) {
fprintf(stderr, "Error accepting a connection: `%s'.\n",ssh_get_error(sshbind));
return -1;
}
if (DEBUG) { printf("Accepted a connection.\n"); }
switch (fork()) {
case -1:
fprintf(stderr,"Fork returned error: `%d'.\n",-1);
exit(-1);
case 0:
exit(handle_auth(session));
default:
break;
}
}
return 0;
}

Related

How to programmatically get PID of process connecting to my proxy via AF_INET sockets, on the same machine?

I am writing a small http proxy server(in C) on a linux machine, Ubuntu 18.04.1 to be specific, and I've been trying to find a way to get the pid of the process that is connecting to it.
It might be of use to mention that the proxy is intended to proxy connections only for processes running on the same machine, so I guess this should make this task possible.
The server uses AF_INET family sockets along with read/write operations in order to do it's job; I am mentioning this because after some research I did encounter threads about "ancillary data",for example: Is there a way to get the uid of the other end of a unix socket connection
Ancillary data contain credentials of the connecting socket(such as PID), but only work on AF_UNIX sockets, used for local IPC, and requires us to explicitly send/receive it on both sides(client/server). In my case, although, as I mentioned, the server will only proxy traffic on the same machine as the server, I need to use AF_INET sockets, so everyone(e.g. web browser) is able to connect to it.
Performance is not so critical; so any suggestions(including workarounds using system calls etc.) are very welcome.
We can use netstat -nptW output to see which local processes' TCP connections. As the output may be security sensitive, superuser privileges are required to see processes belonging to all users.
Since there is no reason to run a proxy service with elevated privileges (expect perhaps CAP_NET_BIND_SERVICE), a privileged helper program is needed.
I pondered a suitable security model for a bit, and came to the conclusion that a helper which examines the connected socket given to it (as say standard input), and outputs just the peer PID(s), would be safest: it would be extremely hard to misuse it, and even if possible, only the peer process ID is revealed.
Here is the example helper, tcp-peer-pids.c:
#define _POSIX_C_SOURCE 200809L
#define _GNU_SOURCE
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <fcntl.h>
#include <netinet/in.h>
#include <netdb.h>
#include <string.h>
#include <stdio.h>
#include <errno.h>
#define EXITCODE_OK 0
#define EXITCODE_STDIN_INVALID 1
#define EXITCODE_UNKNOWN_ADDRESS 2
#define EXITCODE_NETSTAT 3
#define EXITCODE_NETSTAT_OUTPUT 4
#define EXITCODE_WRITE_ERROR 5
#define EXITCODE_PRIVILEGES 6
static pid_t *pids = NULL;
static size_t num_pids = 0;
static size_t max_pids = 0;
static int add_pid(const pid_t p)
{
size_t i;
/* Check if already listed. */
for (i = 0; i < num_pids; i++)
if (pids[i] == p)
return 0;
/* Ensure enough room in pids array. */
if (num_pids >= max_pids) {
const size_t max_temp = (num_pids | 1023) + 1025 - 8;
pid_t *temp;
temp = realloc(pids, max_temp * sizeof pids[0]);
if (!temp)
return ENOMEM;
pids = temp;
max_pids = max_temp;
}
pids[num_pids++] = p;
return 0;
}
int main(void)
{
struct sockaddr_storage sock_addr;
socklen_t sock_addrlen = sizeof sock_addr;
char sock_match[128], sock_host[64], sock_port[32];
struct sockaddr_storage peer_addr;
socklen_t peer_addrlen = sizeof peer_addr;
char peer_match[128], peer_host[64], peer_port[32];
FILE *cmd;
char *line = NULL;
size_t size = 0;
ssize_t len;
int status;
/* Socket address is *remote*, and peer address is *local*.
This is because the variables are named after their matching netstat lines. */
if (getsockname(STDIN_FILENO, (struct sockaddr *)&sock_addr, &sock_addrlen) == -1) {
fprintf(stderr, "Standard input is not a valid socket.\n");
exit(EXITCODE_STDIN_INVALID);
}
if (getpeername(STDIN_FILENO, (struct sockaddr *)&peer_addr, &peer_addrlen) == -1) {
fprintf(stderr, "Standard input is not a connected socket.\n");
exit(EXITCODE_STDIN_INVALID);
}
if ((sock_addr.ss_family != AF_INET && sock_addr.ss_family != AF_INET6) ||
(peer_addr.ss_family != AF_INET && peer_addr.ss_family != AF_INET6)) {
fprintf(stderr, "Standard input is not an IP socket.\n");
exit(EXITCODE_STDIN_INVALID);
}
/* For security, we close the standard input descriptor, */
close(STDIN_FILENO);
/* and redirect it from /dev/null, if possible. */
{
int fd = open("/dev/null", O_RDONLY);
if (fd != -1 && fd != STDIN_FILENO) {
dup2(fd, STDIN_FILENO);
close(fd);
}
}
/* Convert sockets to numerical host and port strings. */
if (getnameinfo((const struct sockaddr *)&sock_addr, sock_addrlen,
sock_host, sizeof sock_host, sock_port, sizeof sock_port,
NI_NUMERICHOST | NI_NUMERICSERV)) {
fprintf(stderr, "Unknown socket address.\n");
exit(EXITCODE_UNKNOWN_ADDRESS);
}
if (getnameinfo((const struct sockaddr *)&peer_addr, peer_addrlen,
peer_host, sizeof peer_host, peer_port, sizeof peer_port,
NI_NUMERICHOST | NI_NUMERICSERV)) {
fprintf(stderr, "Unknown peer address.\n");
exit(EXITCODE_UNKNOWN_ADDRESS);
}
/* Combine to the host:port format netstat uses. */
snprintf(sock_match, sizeof sock_match, "%s:%s", sock_host, sock_port);
snprintf(peer_match, sizeof peer_match, "%s:%s", peer_host, peer_port);
/* Switch to privileged user, if installed as setuid. */
{
uid_t real_uid = getuid();
gid_t real_gid = getgid();
uid_t effective_uid = geteuid();
gid_t effective_gid = getegid();
if (real_gid != effective_gid || real_uid != effective_uid) {
/* SetUID or SetGID in effect. Switch privileges. */
if (setresgid(effective_gid, effective_gid, effective_gid) == -1 ||
setresuid(effective_uid, effective_uid, effective_uid) == -1) {
fprintf(stderr, "Error in privileges: %s.\n", strerror(errno));
exit(EXITCODE_PRIVILEGES);
}
}
}
/* Run netstat to obtain the data; redirect standard error to standard output. */
cmd = popen("LANG=C LC_ALL=C /bin/netstat -nptW 2>&1", "r");
if (!cmd) {
fprintf(stderr, "Cannot run netstat.\n");
exit(EXITCODE_NETSTAT);
}
/* Input line loop. */
while (1) {
char *field[8], *ends;
long val;
pid_t p;
len = getline(&line, &size, cmd);
if (len < 1)
break;
/* Split each line into fields. */
field[0] = strtok(line, "\t\n\v\f\r "); /* Protocol */
/* We are only interested in tcp ("tcp" and "tcp6" protocols). */
if (strcmp(field[0], "tcp") && strcmp(field[0], "tcp6"))
continue;
field[1] = strtok(NULL, "\t\n\v\f\r "); /* Recv-Q */
field[2] = strtok(NULL, "\t\n\v\f\r "); /* Send-Q */
field[3] = strtok(NULL, "\t\n\v\f\r "); /* Local address (peer) */
field[4] = strtok(NULL, "\t\n\v\f\r "); /* Remote address (sock) */
field[5] = strtok(NULL, "\t\n\v\f\r "); /* State */
field[6] = strtok(NULL, "\t\n\v\f\r /"); /* PID */
field[7] = strtok(NULL, "\t\n\v\f\r "); /* Process name */
/* Local address must match peer_match, and foreign/remote sock_match. */
if (strcmp(field[3], peer_match) || strcmp(field[4], sock_match))
continue;
/* This line corresponds to the process we are looking for. */
/* Missing PID field is an error at this point. */
if (!field[6])
break;
/* Parse the PID. Parsing errors are fatal. */
ends = field[6];
errno = 0;
val = strtol(field[6], &ends, 10);
if (errno || ends == field[6] || *ends != '\0' || val < 1)
break;
p = (pid_t)val;
if ((long)p != val)
break;
/* Add the pid to the known pids list. */
if (add_pid(p))
break;
}
/* The line buffer is no longer needed. */
free(line);
/* I/O error? */
if (!feof(cmd) || ferror(cmd)) {
fprintf(stderr, "Error reading netstat output.\n");
exit(EXITCODE_NETSTAT_OUTPUT);
}
/* Reap the netstat process. */
status = pclose(cmd);
if (status == -1) {
fprintf(stderr, "Error reading netstat output: %s.\n", strerror(errno));
exit(EXITCODE_NETSTAT_OUTPUT);
}
if (!WIFEXITED(status)) {
fprintf(stderr, "Netstat died unexpectedly.\n");
exit(EXITCODE_NETSTAT_OUTPUT);
}
if (WEXITSTATUS(status)) {
fprintf(stderr, "Netstat failed with exit status %d.\n", WEXITSTATUS(status));
exit(EXITCODE_NETSTAT_OUTPUT);
}
/* Output the array of pids as binary data. */
if (num_pids > 0) {
const char *head = (const char *)pids;
const char *const ends = (const char *)(pids + num_pids);
ssize_t n;
while (head < ends) {
n = write(STDOUT_FILENO, head, (size_t)(ends - head));
if (n > 0)
head += n;
else
if (n != -1)
exit(EXITCODE_WRITE_ERROR);
else
if (errno != EINTR)
exit(EXITCODE_WRITE_ERROR);
}
}
/* Discard the pids array. */
free(pids);
exit(EXITCODE_OK);
}
It can be run using ordinary user privileges (in which case it'll only know about processes owned by that user), root privileges, or as setuid root.
If used with sudo, ensure you use rule proxyuser ALL = NOPASSWD: /path/to/helper, because sudo has no way of asking a password there. I would probably just install the helper as setuid root at /usr/lib/yourproxy/tcp-peer-pid, owner root, group your proxy service group, and no access to other users (root:proxygroup -r-sr-x---).
The helper is tightly coupled to netstat -nptW output format, but does explicitly set the C locale to avoid getting localized output.
The comparison address:port strings to match to "Local Address" and "Foreign Address" in netstat output are constructed from the addresses returned by getpeername() and getsockname(), respectively, using [getnameinfo()(http://man7.org/linux/man-pages/man3/getnameinfo.3.html) in numerical form (using NI_NUMERICHOST | NI_NUMERICSERV flags).
The helper provides the PIDs in binary form to the server, because the server code would have been too long to fit in a single post here otherwise.
Here is an example TCP service, server.c, which uses the above helper to find out the PID of the peer end of the socket on the local computer. (To avoid denial-of-service attacks, you should set an IP filter that rejects accesses to your proxy service port from outside the computer.)
#define _POSIX_C_SOURCE 200809L
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/select.h>
#include <sys/wait.h>
#include <fcntl.h>
#include <netdb.h>
#include <signal.h>
#include <string.h>
#include <stdio.h>
#include <errno.h>
#ifndef HELPER_PATH
#define HELPER_PATH "./tcp-peer-pids"
#endif
#ifndef HELPER_NAME
#define HELPER_NAME "tcp-peer-pids"
#endif
#ifndef SUDO_PATH
#define SUDO_PATH "/usr/bin/sudo"
#endif
#ifndef SUDO_NAME
#define SUDO_NAME "sudo"
#endif
/*
* Signal handler, to detect INT (Ctrl+C), HUP, and TERM signals.
*/
static volatile sig_atomic_t done = 0;
static void handle_done(int signum)
{
/* In Linux, all signals have signum > 0. */
__atomic_store_n(&done, (sig_atomic_t)signum, __ATOMIC_SEQ_CST);
}
static int install_done(int signum)
{
struct sigaction act;
memset(&act, 0, sizeof act);
sigemptyset(&act.sa_mask);
act.sa_flags = SA_RESTART; /* Do not interrupt slow syscalls. */
act.sa_handler = handle_done;
if (sigaction(signum, &act, NULL) == -1)
return -1; /* errno set by getpeername() */
return 0;
}
/* Helper function: Move descriptors away from STDIN/STDOUT/STDERR.
Returns 0 if successful, -1 with errno set if an error occurs. */
static inline int normalfds(int fd[], const size_t n)
{
unsigned int closemask = 0;
int err = 0;
size_t i;
int newfd;
for (i = 0; i < n; i++)
while (fd[i] == STDIN_FILENO || fd[i] == STDOUT_FILENO || fd[i] == STDERR_FILENO) {
newfd = dup(fd[i]);
if (newfd == -1) {
err = errno;
break;
}
closemask |= 1u << fd[i];
fd[i] = newfd;
}
/* Close temporary descriptors. */
if (closemask & (1u << STDIN_FILENO)) close(STDIN_FILENO);
if (closemask & (1u << STDOUT_FILENO)) close(STDOUT_FILENO);
if (closemask & (1u << STDERR_FILENO)) close(STDERR_FILENO);
/* Success? */
if (!err)
return 0;
/* Report error. */
errno = err;
return -1;
}
/* Return the number of peer processes.
If an error occurs, returns zero; examine errno. */
size_t peer_pids(const int connfd, pid_t *const pids, size_t maxpids)
{
char *in_data = NULL;
size_t in_size = 0;
size_t in_used = 0;
size_t n;
int binpipe[2], status;
pid_t child, p;
/* Sanity check. */
if (connfd == -1) {
errno = EBADF;
return 0;
}
/* Create a pipe to transfer the PIDs (in binary). */
if (pipe(binpipe) == -1)
return 0; /* errno set by pipe(). */
/* Make sure the binary pipe descriptors do not conflict with standard descriptors. */
if (normalfds(binpipe, 2) == -1) {
const int saved_errno = errno;
close(binpipe[0]);
close(binpipe[1]);
errno = saved_errno;
return 0;
}
/* Fork a child process. */
child = fork();
if (child == -1) {
const int saved_errno = errno;
close(binpipe[0]);
close(binpipe[1]);
errno = saved_errno;
return 0;
}
if (!child) {
/* This is the child process. */
#ifdef USE_SUDO
const char *cmd_path = SUDO_PATH;
char *const cmd_args[3] = { SUDO_NAME, HELPER_PATH, NULL };
#else
const char *cmd_path = HELPER_PATH;
char *const cmd_args[2] = { HELPER_NAME, NULL };
#endif
/* The child runs in its own process group, for easier management. */
setsid();
/* Close read end of pipe. */
close(binpipe[0]);
/* Move established connection to standard input. */
if (connfd != STDIN_FILENO) {
if (dup2(connfd, STDIN_FILENO) != STDIN_FILENO)
_Exit(99);
close(connfd);
}
/* Move write end of pipe to standard output. */
if (dup2(binpipe[1], STDOUT_FILENO) != STDOUT_FILENO)
_Exit(99);
else
close(binpipe[1]);
/* Execute helper. */
execv(cmd_path, cmd_args);
/* Failed to execute helper. */
_Exit(98);
}
/* Parent process. */
/* Close write end of pipe, so we detect when child exits. */
close(binpipe[1]);
/* Read all output from child. */
status = 0;
while (1) {
ssize_t bytes;
if (in_used >= in_size) {
const size_t size = (in_used | 1023) + 1025 - 8;
char *temp;
temp = realloc(in_data, in_size);
if (!temp) {
status = ENOMEM;
break;
}
in_data = temp;
in_size = size;
}
bytes = read(binpipe[0], in_data + in_used, in_size - in_used);
if (bytes > 0) {
in_used += bytes;
} else
if (bytes == 0) {
/* End of input condition. */
break;
} else
if (bytes != -1) {
status = EIO;
break;
} else
if (errno != EINTR) {
status = errno;
break;
}
}
/* Close the pipe. */
close(binpipe[0]);
/* Abort, if an error occurred. */
if (status) {
free(in_data);
kill(-child, SIGKILL);
do {
p = waitpid(child, NULL, 0);
} while (p == -1 && errno == EINTR);
errno = status;
return 0;
}
/* Reap the child process. */
do {
status = 0;
p = waitpid(child, &status, 0);
} while (p == -1 && errno == EINTR);
if (p == -1) {
const int saved_errno = errno;
free(in_data);
errno = saved_errno;
return 0;
}
if (!WIFEXITED(status) || WEXITSTATUS(status) != 0) {
free(in_data);
errno = ESRCH; /* The helper command failed, really. */
return 0;
}
/* We expect an integer number of pid_t's. Check. */
n = in_used / sizeof (pid_t);
if ((in_used % sizeof (pid_t)) != 0) {
free(in_data);
errno = EIO;
return 0;
}
/* None found? */
if (!n) {
free(in_data);
errno = ENOENT; /* Not found, really. */
return 0;
}
/* Be paranoid, and verify the pids look sane. */
{
const pid_t *const pid = (const pid_t *const)in_data;
size_t i;
for (i = 0; i < n; i++)
if (pid[i] < 2) {
free(in_data);
errno = ESRCH; /* Helper failed */
return 0;
}
}
/* Copy to user buffer, if specified. */
if (maxpids > n)
memcpy(pids, in_data, n * sizeof (pid_t));
else
if (maxpids > 0)
memcpy(pids, in_data, maxpids * sizeof (pid_t));
/* The pid buffer is no longer needed. */
free(in_data);
/* Return the number of pids we actually received. */
return n;
}
int main(int argc, char *argv[])
{
struct addrinfo hints, *list, *curr;
const char *node, *serv;
int service_fd, err;
struct sockaddr_storage client_addr;
socklen_t client_addrlen;
int client_fd;
if (argc != 3) {
fprintf(stderr, "\n");
fprintf(stderr, "Usage: %s [ -h | --help ]\n", argv[0]);
fprintf(stderr, " %s HOST PORT\n", argv[0]);
fprintf(stderr, "\n");
return EXIT_FAILURE;
}
/* Install signal handers for Ctrl+C, HUP, and TERM. */
if (install_done(SIGINT) ||
install_done(SIGHUP) ||
install_done(SIGTERM)) {
fprintf(stderr, "Cannot install signal handlers: %s.\n", strerror(errno));
return EXIT_FAILURE;
}
/* Empty or - or * is a wildcard host. */
if (argv[1][0] == '\0' || !strcmp(argv[1], "-") || !strcmp(argv[1], "*"))
node = NULL;
else
node = argv[1];
serv = argv[2];
memset(&hints, 0, sizeof hints);
hints.ai_family = AF_UNSPEC; /* IPv4 or IPv6 */
hints.ai_socktype = SOCK_STREAM; /* TCP */
hints.ai_flags = AI_PASSIVE;
hints.ai_protocol = 0;
hints.ai_canonname = NULL;
hints.ai_addr = NULL;
hints.ai_next = NULL;
list = NULL;
err = getaddrinfo(node, serv, &hints, &list);
if (err) {
fprintf(stderr, "Invalid host and/or port: %s.\n", gai_strerror(err));
return EXIT_FAILURE;
}
service_fd = -1;
err = 0;
for (curr = list; curr != NULL; curr = curr->ai_next) {
service_fd = socket(curr->ai_family, curr->ai_socktype, curr->ai_protocol);
if (service_fd == -1)
continue;
errno = 0;
if (bind(service_fd, curr->ai_addr, curr->ai_addrlen) == -1) {
if (!err)
if (errno == EADDRINUSE || errno == EADDRNOTAVAIL || errno == EACCES)
err = errno;
close(service_fd);
service_fd = -1;
continue;
}
if (listen(service_fd, 5) == -1) {
if (!err)
if (errno == EADDRINUSE)
err = errno;
close(service_fd);
service_fd = -1;
continue;
}
/* This socket works. */
break;
}
freeaddrinfo(list);
list = curr = NULL;
if (service_fd == -1) {
if (err)
fprintf(stderr, "Cannot listen for incoming connections on the specified host and port: %s.\n", strerror(err));
else
fprintf(stderr, "Cannot listen for incoming connections on the specified host and port.\n");
return EXIT_FAILURE;
}
/* Do not leak the listening socket to child processes. */
fcntl(service_fd, F_SETFD, FD_CLOEXEC);
/* We also want the listening socket to be nonblocking. */
fcntl(service_fd, F_SETFL, O_NONBLOCK);
fprintf(stderr, "Process %ld is waiting for incoming TCP connections.\n", (long)getpid());
/* Incoming connection loop. */
while (!done) {
struct timeval t;
char client_host[64]; /* 64 for numeric, 1024 for non-numeric */
char client_port[32];
pid_t client_pid;
fd_set fds;
t.tv_sec = 0;
t.tv_usec = 100000; /* Max. 0.1s delay to react to done signal. */
FD_ZERO(&fds);
FD_SET(service_fd, &fds);
if (select(service_fd + 1, &fds, NULL, NULL, &t) < 1)
continue;
client_addrlen = sizeof client_addr;
client_fd = accept(service_fd, (struct sockaddr *)&client_addr, &client_addrlen);
if (client_fd == -1) {
if (errno == EINTR || errno == ECONNABORTED)
continue;
fprintf(stderr, "Error accepting an incoming connection: %s.\n", strerror(errno));
continue;
}
if (getnameinfo((const struct sockaddr *)&client_addr, client_addrlen,
client_host, sizeof client_host, client_port, sizeof client_port,
NI_NUMERICHOST | NI_NUMERICSERV) != 0) {
fprintf(stderr, "Cannot resolve peer address for incoming connection, so dropping it.\n");
close(client_fd);
continue;
}
printf("Incoming connection from %s:%s", client_host, client_port);
fflush(stdout);
if (peer_pids(client_fd, &client_pid, 1) != 1) {
printf(", but cannot determine process ID. Dropped.\n");
close(client_fd);
continue;
}
printf(" from local process %ld.\n", (long)client_pid);
fflush(stdout);
/*
* Handle connection.
*/
printf("Closing connection.\n");
fflush(stdout);
close(client_fd);
}
/* Close service socket. */
close(service_fd);
switch (__atomic_load_n(&done, __ATOMIC_SEQ_CST)) {
case SIGINT:
fprintf(stderr, "Received INT signal.\n");
break;
case SIGHUP:
fprintf(stderr, "Received HUP signal.\n");
break;
case SIGTERM:
fprintf(stderr, "Received TERM signal.\n");
break;
}
return EXIT_SUCCESS;
}
The peer_pids() function communicates with the helper process. It is very straightforward, albeit careful to not return unreliable data: instead of ignoring errors or trying to recover from them, it reports failure. This allows the main program do if (peer_pids(client_fd, &pid, 1) != 1) /* Don't know! */ and drop any connection the server is unsure of -- an approach I consider the sane one here.
The normalfds() helper function is often ignored. It helps avoid issues if any of the standard streams are/get closed. It simply moves the set of descriptors away from the three standard streams, using at most three extra descriptors.
You can define USE_SUDO at compile time to have it use sudo when executing the helper. Define HELPER_PATH and HELPER_NAME to the absolute path to the helper and its file name, respectively. (As it is now, they default to ./tcp-peer-pid and tcp-peer-pid, for easier testing.)
The server does install a signal handler for INT (Ctrl+C), HUP (sent when the user closes the terminal), or TERM signals, which all cause it to stop accepting new connections and exit in a controlled manner. (Because the signal handler is installed using SA_RESTART flag, its delivery will not interrupt slow syscalls or cause errno == EINTR. This also means that accept() should not block, or the signal delivery will not be noticed. So, blocking in select() for 0.1s, and checking if a signal was delivered in between, is a good compromise, at least in an example server.)
On my machine, I compiled and tested the service in one terminal window using
gcc -Wall -O2 tcp-peer-pids.c -o tcp-peer-pids
gcc -Wall -O2 "-DHELPER_PATH=\"$PWD/tcp-peer-pids\"" server.c -o server
./server - 2400
That will report Process # is waiting for incoming TCP connections. In another window, using Bash or POSIX shell, I run one or more test netcat commands:
nc localhost 2400 & wait
It might look silly to run a command in the background, and immediately wait for it, but that way you can see the PID of the nc process.
On my system, all loopback (127.x.y.z), TCP/IPv4, and TCP/IPv6 (the addresses of my ethernet and WiFi interfaces) worked fine, and reliably reported the correct PID of the process connecting to the example server.
There are a number of cases where the number of PIDs reported might vary: For example, if the program has executed a child process, but left the connected descriptor open in the child as well. (This should be considered a bug.) Another typical case is the program having exited before the netstat command executes.
If you find any typos or errors or strange behaviour, let me know in a comment so I can verify and fix. I wrote both programs in one sitting, so they are quite likely to contain bugs. As I mentioned, I would not trust either in production before having a colleague (or myself a few times, later on, with fresh eyes) going through it with a critical/paranoid eye.
I would personally only use this approach for logging and statistics, not access control per se. By access control, I mean that you should configure an IP filter (the firewall built in to the Linux kernel) to limit access to only trusted hosts; and specifically allow no incoming proxy connections to the proxy service if only local applications are to be proxied, rather than rely on this detecting all remote connections.
For application-specific logging/limiting, use readlink() on the /proc/PID/exe pseudosymlink. This cannot be faked, but the call may fail if the executable is not accessible, or is too deep in the directory tree. (In those cases I'd reject the proxy connection altogether.)
Note that it is usually trivial for an user to copy an executable to any directory they own, and execute it from there. This means that for application-specific limiting to work at all, you should have tight limits for all applications by default, and relax the limits for specific executables.

D-BUS in BeagleBone Black

My goal: Is to monitor the state of my network interface (mainly wireless) from my firmware (in C) by monitoring the wpa_supplicant through the D-Bus interfaces. I would like to stick with C and low-level API of D-bus.
What I have so far
I've written a small program in C, copied most of the code as is from this SO user.
I've gone through all possible tutorials on D-Bus and wpa_supplicant
My program compiles and works properly. However it does not produce the expected output.
Here's my code:
#include <stdio.h>
#include <dbus/dbus.h>
#define WPAS_DBUS_SERVICE "fi.epitest.hostap.WPASupplicant"
#define WPAS_DBUS_PATH "/fi/epitest/hostap/WPASupplicant"
#define WPAS_DBUS_INTERFACE "fi.epitest.hostap.WPASupplicantAAA"
#define WPAS_DBUS_PATH_INTERFACES WPAS_DBUS_PATH "/Interfaces"
#define WPAS_DBUS_IFACE_INTERFACE WPAS_DBUS_INTERFACE ".Interfaces"
#define WPAS_DBUS_NETWORKS_PART "Networks"
#define WPAS_DBUS_IFACE_NETWORK WPAS_DBUS_INTERFACE ".Network"
#define WPAS_DBUS_BSSIDS_PART "BSSIDs"
#define WPAS_DBUS_IFACE_BSSID WPAS_DBUS_INTERFACE ".BSSID"
int ret;
char signalDesc[1024]; // Signal description as string
// Signal handling
signal(SIGKILL, stopLoop);
signal(SIGTERM, stopLoop);
void loop(DBusConnection* conn)
{
DBusMessage* msg;
DBusMessageIter args;
DBusMessageIter subArgs;
int argType;
int i;
int buffSize = 1024;
char strValue[buffSize];
const char* member = 0;
while (1)
{
// non blocking read of the next available message
dbus_connection_read_write(conn, 0);
msg = dbus_connection_pop_message(conn);
// loop again if we haven't read a message
if (!msg)
{
printf("No message received, waiting a little ...\n");
sleep(1);
continue;
}
else printf("Got a message, will analyze it ...\n");
// Print the message member
printf("Got message for interface %s\n",
dbus_message_get_interface(msg));
member = dbus_message_get_member(msg);
if(member) printf("Got message member %s\n", member);
// Check has argument
if (!dbus_message_iter_init(msg, &args))
{
printf("Message has no argument\n");
continue;
}
else
{
// Go through arguments
while(1)
{
argType = dbus_message_iter_get_arg_type(&args);
if (argType == DBUS_TYPE_STRING)
{
printf("Got string argument, extracting ...\n");
char* str = NULL;
dbus_message_iter_get_basic(&args, &str);
printf("Received string: \n %s \n",str);
}
else
printf("Arg type not implemented yet !\n");
if(dbus_message_iter_has_next(&args))
dbus_message_iter_next(&args);
else break;
}
printf("No more arguments!\n");
}
// free the message
dbus_message_unref(msg);
}
}
int main()
{
DBusConnection *connection;
DBusError error;
char *name = "org.share.linux";
dbus_error_init(&error);
connection = dbus_bus_get(DBUS_BUS_SYSTEM, &error);
if ( dbus_error_is_set(&error) )
{
printf("Error connecting to the daemon bus: %s",error.message);
dbus_error_free(&error);
return 1;
}
// request a name on the bus
ret = dbus_bus_request_name(connection, WPAS_DBUS_SERVICE, 0, &error);
if (dbus_error_is_set(&error))
{
printf(stderr, "Name Error (%s)\n", error.message);
dbus_error_free(&error);
}
/* Connect to signal */
// Interface signal ..
printf(signalDesc, "type='signal',interface='%s'",WPAS_DBUS_IFACE_INTERFACE);
dbus_bus_add_match(connection, signalDesc, &error);
dbus_connection_flush(connection);
if (dbus_error_is_set(&error))
{
fprintf(stderr, "Match Error (%s)\n", error.message);
return 1;
}
// Do main loop
loop(connection);
dbus_connection_close(connection);
return 0;
}
List of D-bus services on my BBB
Output
Some pointers
I would like to catch the signals as shown in the D-Bus API of wpa_supplicant.
Some things I would like to do -- see when a wireless interface say wlan0 is enabled, connects to access point etc. Also capability to set AP and stuff.
Its catching signal from other interfaces for which no match has been added.
I run this program and change the state of the networking interfaces but I dont get any signals. Also, I dont know if requesting name on the bus is necessary as I'm just listening.
What's the possible issue here? Any pointers will be really helpful.

How to monitor an external process for events by its PID in C?

Is there any library which's got some function the allows one to monitor an external process for events by its pid_t? I mean, monitoring whether an external process has exited, or whether it has created one or more child processes (with fork), or whether it has become another executable image (via an exec or posix_spawn function family call) or whether a Unix signal was delivered to it.
EDIT
I need something that does not interfere with the execution of the program that is being monitored. So, I'm not supposed to use ptrace, since it stops the process which is being monitored when it emits some signal and it's necessary to resume the process whenever this happens.
Run the target binary using a preload library that catches fork(). As long as all child processes also use the preload library, you'll see all local child processes, no matter how executed.
Here is an example implementation.
First, the forkmonitor.h header file. It defines the messages passed from the preload library, to the monitoring process:
#ifndef FORKMONITOR_H
#define FORKMONITOR_H
#define FORKMONITOR_ENVNAME "FORKMONITOR_SOCKET"
#ifndef UNIX_PATH_MAX
#define UNIX_PATH_MAX 108
#endif
#define TYPE_EXEC 1 /* When a binary is executed */
#define TYPE_DONE 2 /* exit() or return from main() */
#define TYPE_FORK 3
#define TYPE_VFORK 4
#define TYPE_EXIT 5 /* _exit() or _Exit() */
#define TYPE_ABORT 6 /* abort() */
struct message {
pid_t pid; /* Process ID */
pid_t ppid; /* Parent process ID */
pid_t sid; /* Session ID */
pid_t pgid; /* Process group ID */
uid_t uid; /* Real user ID */
gid_t gid; /* Real group ID */
uid_t euid; /* Effective user ID */
gid_t egid; /* Effective group ID */
unsigned short len; /* Length of data[] */
unsigned char type; /* One of the TYPE_ constants */
char data[0]; /* Optional payload, possibly longer */
};
#endif /* FORKMONITOR_H */
The FORKMONITOR_SOCKET environment variable (named by the FORKMONITOR_ENVNAME macro above) specifies the Unix domain datagram socket addess to the monitoring process. If not defined or empty, no monitoring messages are sent.
Here is the library itself, libforkmonitor.c.
Note that I simplified the code quite a bit, leaving out multithreaded initialization (since it's rare for a library to call any of the intercepted functions, and even rarer to do it from multiple threads). It would be better to use atomic built-ins (__sync_bool_compare_and_swap()) to update the function pointer, and atomic getter (__sync_fetch_and_or(,0)) to retrieve the function pointer, to avoid any issues with wonky libraries. (This is quite safe for multithreaded programs, as the pointers will only be modified prior to main() is executed.)
#define _POSIX_C_SOURCE 200809L
#define _GNU_SOURCE
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <sys/un.h>
#include <dlfcn.h>
#include <limits.h>
#include <string.h>
#include <stdio.h>
#include <errno.h>
#include "forkmonitor.h"
static pid_t (*actual_fork)(void) = NULL;
static pid_t (*actual_vfork)(void) = NULL;
static void (*actual_abort)(void) = NULL;
static void (*actual__exit)(int) = NULL;
static void (*actual__Exit)(int) = NULL;
static int commfd = -1;
#define MINIMUM_COMMFD 31
static void notify(const int type, struct message *const msg, const size_t extra)
{
const int saved_errno = errno;
msg->pid = getpid();
msg->ppid = getppid();
msg->sid = getsid(0);
msg->pgid = getpgrp();
msg->uid = getuid();
msg->gid = getgid();
msg->euid = geteuid();
msg->egid = getegid();
msg->len = extra;
msg->type = type;
/* Since we don't have any method of dealing with send() errors
* or partial send()s, we just fire one off and hope for the best. */
send(commfd, msg, sizeof (struct message) + extra, MSG_EOR | MSG_NOSIGNAL);
errno = saved_errno;
}
void libforkmonitor_init(void) __attribute__((constructor));
void libforkmonitor_init(void)
{
const int saved_errno = errno;
int result;
/* Save the actual fork() call pointer. */
if (!actual_fork)
*(void **)&actual_fork = dlsym(RTLD_NEXT, "fork");
/* Save the actual vfork() call pointer. */
if (!actual_vfork)
*(void **)&actual_vfork = dlsym(RTLD_NEXT, "vfork");
/* Save the actual abort() call pointer. */
if (!actual_abort)
*(void **)&actual_abort = dlsym(RTLD_NEXT, "abort");
/* Save the actual _exit() call pointer. */
if (!actual__exit)
*(void **)&actual__exit = dlsym(RTLD_NEXT, "_exit");
if (!actual__exit)
*(void **)&actual__exit = dlsym(RTLD_NEXT, "_Exit");
/* Save the actual abort() call pointer. */
if (!actual__Exit)
*(void **)&actual__Exit = dlsym(RTLD_NEXT, "_Exit");
if (!actual__Exit)
*(void **)&actual__Exit = dlsym(RTLD_NEXT, "_exit");
/* Open an Unix domain datagram socket to the observer. */
if (commfd == -1) {
const char *address;
/* Connect to where? */
address = getenv(FORKMONITOR_ENVNAME);
if (address && *address) {
struct sockaddr_un addr;
memset(&addr, 0, sizeof addr);
addr.sun_family = AF_UNIX;
strncpy(addr.sun_path, address, sizeof addr.sun_path - 1);
/* Create and bind the socket. */
commfd = socket(AF_UNIX, SOCK_DGRAM, 0);
if (commfd != -1) {
if (connect(commfd, (const struct sockaddr *)&addr, sizeof (addr)) == -1) {
/* Failed. Close the socket. */
do {
result = close(commfd);
} while (result == -1 && errno == EINTR);
commfd = -1;
}
}
/* Move commfd to a high descriptor, to avoid complications. */
if (commfd != -1 && commfd < MINIMUM_COMMFD) {
const int newfd = MINIMUM_COMMFD;
do {
result = dup2(commfd, newfd);
} while (result == -1 && errno == EINTR);
if (!result) {
do {
result = close(commfd);
} while (result == -1 && errno == EINTR);
commfd = newfd;
}
}
}
}
/* Send an init message, listing the executable path. */
if (commfd != -1) {
size_t len = 128;
struct message *msg = NULL;
while (1) {
ssize_t n;
free(msg);
msg = malloc(sizeof (struct message) + len);
if (!msg) {
len = 0;
break;
}
n = readlink("/proc/self/exe", msg->data, len);
if (n > (ssize_t)0 && (size_t)n < len) {
msg->data[n] = '\0';
len = n + 1;
break;
}
len = (3 * len) / 2;
if (len >= 65536U) {
free(msg);
msg = NULL;
len = 0;
break;
}
}
if (len > 0) {
/* INIT message with executable name */
notify(TYPE_EXEC, msg, len);
free(msg);
} else {
/* INIT message without executable name */
struct message msg2;
notify(TYPE_EXEC, &msg2, sizeof msg2);
}
}
/* Restore errno. */
errno = saved_errno;
}
void libforkmonitor_done(void) __attribute__((destructor));
void libforkmonitor_done(void)
{
const int saved_errno = errno;
int result;
/* Send an exit message, no data. */
if (commfd != -1) {
struct message msg;
notify(TYPE_DONE, &msg, sizeof msg);
}
/* If commfd is open, close it. */
if (commfd != -1) {
do {
result = close(commfd);
} while (result == -1 && errno == EINTR);
}
/* Restore errno. */
errno = saved_errno;
}
/*
* Hooked C library functions.
*/
pid_t fork(void)
{
pid_t result;
if (!actual_fork) {
const int saved_errno = errno;
*(void **)&actual_fork = dlsym(RTLD_NEXT, "fork");
if (!actual_fork) {
errno = EAGAIN;
return (pid_t)-1;
}
errno = saved_errno;
}
result = actual_fork();
if (!result && commfd != -1) {
struct message msg;
notify(TYPE_FORK, &msg, sizeof msg);
}
return result;
}
pid_t vfork(void)
{
pid_t result;
if (!actual_vfork) {
const int saved_errno = errno;
*(void **)&actual_vfork = dlsym(RTLD_NEXT, "vfork");
if (!actual_vfork) {
errno = EAGAIN;
return (pid_t)-1;
}
errno = saved_errno;
}
result = actual_vfork();
if (!result && commfd != -1) {
struct message msg;
notify(TYPE_VFORK, &msg, sizeof msg);
}
return result;
}
void _exit(const int code)
{
if (!actual__exit) {
const int saved_errno = errno;
*(void **)&actual__exit = dlsym(RTLD_NEXT, "_exit");
if (!actual__exit)
*(void **)&actual__exit = dlsym(RTLD_NEXT, "_Exit");
errno = saved_errno;
}
if (commfd != -1) {
struct {
struct message msg;
int extra;
} data;
memcpy(&data.msg.data[0], &code, sizeof code);
notify(TYPE_EXIT, &(data.msg), sizeof (struct message) + sizeof (int));
}
if (actual__exit)
actual__exit(code);
exit(code);
}
void _Exit(const int code)
{
if (!actual__Exit) {
const int saved_errno = errno;
*(void **)&actual__Exit = dlsym(RTLD_NEXT, "_Exit");
if (!actual__Exit)
*(void **)&actual__Exit = dlsym(RTLD_NEXT, "_exit");
errno = saved_errno;
}
if (commfd != -1) {
struct {
struct message msg;
int extra;
} data;
memcpy(&data.msg.data[0], &code, sizeof code);
notify(TYPE_EXIT, &(data.msg), sizeof (struct message) + sizeof (int));
}
if (actual__Exit)
actual__Exit(code);
exit(code);
}
void abort(void)
{
if (!actual_abort) {
const int saved_errno = errno;
*(void **)&actual_abort = dlsym(RTLD_NEXT, "abort");
errno = saved_errno;
}
if (commfd != -1) {
struct message msg;
notify(TYPE_ABORT, &msg, sizeof msg);
}
actual_abort();
exit(127);
}
The libforkmonitor_init() function is called automatically by the runtime linker before the process main() is called, and libforkmonitor_done() is called when the process returns from main() or calls exit().
The libforkmonitor_init() opens an Unix domain datagram socket to the monitoring process, and sends its credentials and the path to the current executable. Every child process (as long as the preload library is still loaded) executes this after they're loaded, so there is no need to catch exec*() or posix_spawn*() or 'popen()` etc. functions at all.
The C library functions fork() and vfork() are intercepted. These interceptions are needed to catch the cases where the original program forks to create slave processes without executing any other binary. (At least GNU C library uses fork() internally, so these will catch popen(), posix_spawn(), etc. too.)
Additionally, C library functions _exit(), _Exit(), and abort() are intercepted too. I added these because some binaries, especially Dash, like to use _exit(), and I thought it would be nice to catch all forms of normal exits. (Death due to signals is not detected, however; and if a binary executes another binary, you'll only get the new EXEC message. Note the process and parent process ID's.)
Here is a simple monitoring program, forkmonitor.c:
#define _POSIX_C_SOURCE 200809L
#include <unistd.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <signal.h>
#include <pwd.h>
#include <grp.h>
#include <string.h>
#include <stdio.h>
#include <errno.h>
#include "forkmonitor.h"
static volatile sig_atomic_t done = 0;
static void done_handler(const int signum)
{
if (!done)
done = signum;
}
static int catch_done(const int signum)
{
struct sigaction act;
sigemptyset(&act.sa_mask);
act.sa_handler = done_handler;
act.sa_flags = 0;
if (sigaction(signum, &act, NULL) == -1)
return errno;
return 0;
}
static const char *username(const uid_t uid)
{
static char buffer[128];
struct passwd *pw;
pw = getpwuid(uid);
if (!pw)
return NULL;
strncpy(buffer, pw->pw_name, sizeof buffer - 1);
buffer[sizeof buffer - 1] = '\0';
return (const char *)buffer;
}
static const char *groupname(const gid_t gid)
{
static char buffer[128];
struct group *gr;
gr = getgrgid(gid);
if (!gr)
return NULL;
strncpy(buffer, gr->gr_name, sizeof buffer - 1);
buffer[sizeof buffer - 1] = '\0';
return (const char *)buffer;
}
int main(int argc, char *argv[])
{
const size_t msglen = 65536;
struct message *msg;
int socketfd, result;
const char *user, *group;
if (catch_done(SIGINT) || catch_done(SIGQUIT) || catch_done(SIGHUP) ||
catch_done(SIGTERM) || catch_done(SIGPIPE)) {
fprintf(stderr, "Cannot set signal handlers: %s.\n", strerror(errno));
return 1;
}
if (argc != 2 || !strcmp(argv[1], "-h") || !strcmp(argv[1], "--help")) {
fprintf(stderr, "\n");
fprintf(stderr, "Usage: %s [ -h | --help ]\n", argv[0]);
fprintf(stderr, " %s MONITOR-SOCKET-PATH\n", argv[0]);
fprintf(stderr, "\n");
fprintf(stderr, "This program outputs events reported by libforkmonitor\n");
fprintf(stderr, "to Unix domain datagram sockets at MONITOR-SOCKET-PATH.\n");
fprintf(stderr, "\n");
return 0;
}
msg = malloc(msglen);
if (!msg) {
fprintf(stderr, "Out of memory.\n");
return 1;
}
socketfd = socket(AF_UNIX, SOCK_DGRAM, 0);
if (socketfd == -1) {
fprintf(stderr, "Cannot create an Unix domain datagram socket: %s.\n", strerror(errno));
return 1;
}
{
struct sockaddr_un addr;
size_t len;
if (argv[1])
len = strlen(argv[1]);
else
len = 0;
if (len < 1 || len >= UNIX_PATH_MAX) {
fprintf(stderr, "%s: Path is too long (max. %d characters)\n", argv[1], UNIX_PATH_MAX - 1);
return 1;
}
memset(&addr, 0, sizeof addr);
addr.sun_family = AF_UNIX;
memcpy(addr.sun_path, argv[1], len + 1); /* Include '\0' at end */
if (bind(socketfd, (struct sockaddr *)&addr, sizeof (addr)) == -1) {
fprintf(stderr, "Cannot bind to %s: %s.\n", argv[1], strerror(errno));
return 1;
}
}
printf("Waiting for connections.\n");
printf("\n");
/* Infinite loop. */
while (!done) {
ssize_t n;
n = recv(socketfd, msg, msglen, 0);
if (n == -1) {
const char *const errmsg = strerror(errno);
fprintf(stderr, "%s.\n", errmsg);
fflush(stderr);
break;
}
if (msglen < sizeof (struct message)) {
fprintf(stderr, "Received a partial message; discarded.\n");
fflush(stderr);
continue;
}
switch (msg->type) {
case TYPE_EXEC:
printf("Received an EXEC message:\n");
break;
case TYPE_DONE:
printf("Received a DONE message:\n");
break;
case TYPE_FORK:
printf("Received a FORK message:\n");
break;
case TYPE_VFORK:
printf("Received a VFORK message:\n");
break;
case TYPE_EXIT:
printf("Received an EXIT message:\n");
break;
case TYPE_ABORT:
printf("Received an ABORT message:\n");
break;
default:
printf("Received an UNKNOWN message:\n");
break;
}
if (msg->type == TYPE_EXEC && (size_t)n > sizeof (struct message)) {
if (*((char *)msg + n - 1) == '\0')
printf("\tExecutable: '%s'\n", (char *)msg + sizeof (struct message));
}
printf("\tProcess ID: %d\n", (int)msg->pid);
printf("\tParent process ID: %d\n", (int)msg->ppid);
printf("\tSession ID: %d\n", (int)msg->sid);
printf("\tProcess group ID: %d\n", (int)msg->pgid);
user = username(msg->uid);
if (user)
printf("\tReal user: '%s' (%d)\n", user, (int)msg->uid);
else
printf("\tReal user: %d\n", (int)msg->uid);
group = groupname(msg->gid);
if (group)
printf("\tReal group: '%s' (%d)\n", group, (int)msg->gid);
else
printf("\tReal group: %d\n", (int)msg->gid);
user = username(msg->euid);
if (user)
printf("\tEffective user: '%s' (%d)\n", user, (int)msg->euid);
else
printf("\tEffective user: %d\n", (int)msg->euid);
group = groupname(msg->egid);
if (group)
printf("\tEffective group: '%s' (%d)\n", group, (int)msg->egid);
else
printf("\tEffective group: %d\n", (int)msg->egid);
printf("\n");
fflush(stdout);
}
do {
result = close(socketfd);
} while (result == -1 && errno == EINTR);
unlink(argv[1]);
return 0;
}
It takes a single command-line parameter, the Unix domain socket address. It should be an absolute file system path.
You can stop the monitoring program via INT (Ctrl+C), HUP, QUIT, and TERM signals.
Compile the library using
gcc -W -Wall -O3 -fpic -fPIC -c libforkmonitor.c
gcc -shared -Wl,-soname,libforkmonitor.so libforkmonitor.o -ldl -o libforkmonitor.so
and the monitor program using
gcc -W -Wall -O3 forkmonitor.c -o forkmonitor
In one terminal window, start the forkmonitor first:
./forkmonitor "$PWD/commsocket"
In another terminal window, in the same directory, run the monitored command, automatically preloading the libforkmonitor.so library and specifying the socket for the monitor:
env "LD_PRELOAD=$PWD/libforkmonitor.so" "FORKMONITOR_SOCKET=$PWD/commsocket" command args...
Note that because this uses the LD_PRELOAD and FORKMONITOR_SOCKET environment variables, child processes are ignored if their parent modifies the environment (removing the two environment variables), and when executing setuid or setgid binaries. This limitation can be avoided by eliminating the environment variables, and hardcoding them.
The run-time linker will not preload libraries for setuid or setgid binaries, unless the library is in one of the standard library directories, and also marked setgid.
Adding the library name to /etc/ld.so.preload will preload the library for all binaries, but you probably should add a mechanism into libforkmonitor_init() which limits the monitoring to desired binaries and/or a specified real user (as effective user changes when running a setuid binary).
For example, when I run
env "LD_PRELOAD=$PWD/libforkmonitor.so" "FORKMONITOR_SOCKET=$PWD/commsocket" sh -c 'date ; ls -laF'
the monitoring output is (anonymized):
Received an EXEC message:
Executable: 'bin/dash'
Process ID: 11403
Parent process ID: 9265
Session ID: 9265
Process group ID: 11403
Real user: 'username' (1000)
Real group: 'username' (1000)
Effective user: 'username' (1000)
Effective group: 'username' (1000)
Received a FORK message:
Process ID: 11404
Parent process ID: 11403
Session ID: 9265
Process group ID: 11403
Real user: 'username' (1000)
Real group: 'username' (1000)
Effective user: 'username' (1000)
Effective group: 'username' (1000)
Received an EXEC message:
Executable: 'bin/date'
Process ID: 11404
Parent process ID: 11403
Session ID: 9265
Process group ID: 11403
Real user: 'username' (1000)
Real group: 'username' (1000)
Effective user: 'username' (1000)
Effective group: 'username' (1000)
Received a DONE message:
Process ID: 11404
Parent process ID: 11403
Session ID: 9265
Process group ID: 11403
Real user: 'username' (1000)
Real group: 'username' (1000)
Effective user: 'username' (1000)
Effective group: 'username' (1000)
Received a FORK message:
Process ID: 11405
Parent process ID: 11403
Session ID: 9265
Process group ID: 11403
Real user: 'username' (1000)
Real group: 'username' (1000)
Effective user: 'username' (1000)
Effective group: 'username' (1000)
Received an EXEC message:
Executable: 'bin/ls'
Process ID: 11405
Parent process ID: 11403
Session ID: 9265
Process group ID: 11403
Real user: 'username' (1000)
Real group: 'username' (1000)
Effective user: 'username' (1000)
Effective group: 'username' (1000)
Received a DONE message:
Process ID: 11405
Parent process ID: 11403
Session ID: 9265
Process group ID: 11403
Real user: 'username' (1000)
Real group: 'username' (1000)
Effective user: 'username' (1000)
Effective group: 'username' (1000)
Received an EXIT message:
Process ID: 11403
Parent process ID: 9265
Session ID: 9265
Process group ID: 11403
Real user: 'username' (1000)
Real group: 'username' (1000)
Effective user: 'username' (1000)
Effective group: 'username' (1000)
This is a very lightweight process tree monitoring solution. Other than process startup, exit, and calling one of the intercepted functions (fork(), vfork(), _exit(), _Exit(), abort()), program execution will not be affected at all. Because the library is so lightweight, even those affected will only be affected by a very, very small amount; probably not enough to measure reliably.
It is obviously possible to intercept other functions, and/or use two-way communication, "pausing" the execution of the intercepted function until the monitoring application responds.
There are some pitfalls overall, especially related to setuid/setgid processes, and processes that generate a new environment (omitting the LD_PRELOAD and FORKMONITOR_SOCKET environment variables), but those can be worked around if superuser privileges are available.
Hope you find this informative. Questions?
If you can run as root, then you can use the netlink interface proc events:
http://bewareofgeek.livejournal.com/2945.html
I just compiled it cleanly on fedora 17 x86_64 and it gives me this:
[root#hip1 yotest]# ./proc
set mcast listen ok
fork: parent tid=2358 pid=2358 -> child tid=21007 pid=21007
exec: tid=21007 pid=21007
fork: parent tid=21007 pid=21007 -> child tid=21008 pid=21008
fork: parent tid=21007 pid=21007 -> child tid=21009 pid=21009
fork: parent tid=21007 pid=21007 -> child tid=21010 pid=21010
fork: parent tid=21007 pid=21007 -> child tid=21011 pid=21011
exec: tid=21010 pid=21010
exec: tid=21008 pid=21008
exec: tid=21011 pid=21011
exec: tid=21009 pid=21009
exit: tid=21008 pid=21008 exit_code=0
fork: parent tid=21010 pid=21010 -> child tid=21012 pid=21012
exit: tid=21009 pid=21009 exit_code=0
exec: tid=21012 pid=21012
exit: tid=21012 pid=21012 exit_code=0
exit: tid=21010 pid=21010 exit_code=0
exit: tid=21011 pid=21011 exit_code=0
exit: tid=21007 pid=21007 exit_code=0
You'll need to filter for the specific pids which are of interest to you, but you can easily do that in the switch statement on line 107.
For purposes of preservation:
#include <sys/socket.h>
#include <linux/netlink.h>
#include <linux/connector.h>
#include <linux/cn_proc.h>
#include <signal.h>
#include <errno.h>
#include <stdbool.h>
#include <unistd.h>
#include <string.h>
#include <stdlib.h>
#include <stdio.h>
/*
* connect to netlink
* returns netlink socket, or -1 on error
*/
static int nl_connect()
{
int rc;
int nl_sock;
struct sockaddr_nl sa_nl;
nl_sock = socket(PF_NETLINK, SOCK_DGRAM, NETLINK_CONNECTOR);
if (nl_sock == -1) {
perror("socket");
return -1;
}
sa_nl.nl_family = AF_NETLINK;
sa_nl.nl_groups = CN_IDX_PROC;
sa_nl.nl_pid = getpid();
rc = bind(nl_sock, (struct sockaddr *)&sa_nl, sizeof(sa_nl));
if (rc == -1) {
perror("bind");
close(nl_sock);
return -1;
}
return nl_sock;
}
/*
* subscribe on proc events (process notifications)
*/
static int set_proc_ev_listen(int nl_sock, bool enable)
{
int rc;
struct __attribute__ ((aligned(NLMSG_ALIGNTO))) {
struct nlmsghdr nl_hdr;
struct __attribute__ ((__packed__)) {
struct cn_msg cn_msg;
enum proc_cn_mcast_op cn_mcast;
};
} nlcn_msg;
memset(&nlcn_msg, 0, sizeof(nlcn_msg));
nlcn_msg.nl_hdr.nlmsg_len = sizeof(nlcn_msg);
nlcn_msg.nl_hdr.nlmsg_pid = getpid();
nlcn_msg.nl_hdr.nlmsg_type = NLMSG_DONE;
nlcn_msg.cn_msg.id.idx = CN_IDX_PROC;
nlcn_msg.cn_msg.id.val = CN_VAL_PROC;
nlcn_msg.cn_msg.len = sizeof(enum proc_cn_mcast_op);
nlcn_msg.cn_mcast = enable ? PROC_CN_MCAST_LISTEN : PROC_CN_MCAST_IGNORE;
rc = send(nl_sock, &nlcn_msg, sizeof(nlcn_msg), 0);
if (rc == -1) {
perror("netlink send");
return -1;
}
return 0;
}
/*
* handle a single process event
*/
static volatile bool need_exit = false;
static int handle_proc_ev(int nl_sock)
{
int rc;
struct __attribute__ ((aligned(NLMSG_ALIGNTO))) {
struct nlmsghdr nl_hdr;
struct __attribute__ ((__packed__)) {
struct cn_msg cn_msg;
struct proc_event proc_ev;
};
} nlcn_msg;
while (!need_exit) {
rc = recv(nl_sock, &nlcn_msg, sizeof(nlcn_msg), 0);
if (rc == 0) {
/* shutdown? */
return 0;
} else if (rc == -1) {
if (errno == EINTR) continue;
perror("netlink recv");
return -1;
}
switch (nlcn_msg.proc_ev.what) {
case PROC_EVENT_NONE:
printf("set mcast listen ok\n");
break;
case PROC_EVENT_FORK:
printf("fork: parent tid=%d pid=%d -> child tid=%d pid=%d\n",
nlcn_msg.proc_ev.event_data.fork.parent_pid,
nlcn_msg.proc_ev.event_data.fork.parent_tgid,
nlcn_msg.proc_ev.event_data.fork.child_pid,
nlcn_msg.proc_ev.event_data.fork.child_tgid);
break;
case PROC_EVENT_EXEC:
printf("exec: tid=%d pid=%d\n",
nlcn_msg.proc_ev.event_data.exec.process_pid,
nlcn_msg.proc_ev.event_data.exec.process_tgid);
break;
case PROC_EVENT_UID:
printf("uid change: tid=%d pid=%d from %d to %d\n",
nlcn_msg.proc_ev.event_data.id.process_pid,
nlcn_msg.proc_ev.event_data.id.process_tgid,
nlcn_msg.proc_ev.event_data.id.r.ruid,
nlcn_msg.proc_ev.event_data.id.e.euid);
break;
case PROC_EVENT_GID:
printf("gid change: tid=%d pid=%d from %d to %d\n",
nlcn_msg.proc_ev.event_data.id.process_pid,
nlcn_msg.proc_ev.event_data.id.process_tgid,
nlcn_msg.proc_ev.event_data.id.r.rgid,
nlcn_msg.proc_ev.event_data.id.e.egid);
break;
case PROC_EVENT_EXIT:
printf("exit: tid=%d pid=%d exit_code=%d\n",
nlcn_msg.proc_ev.event_data.exit.process_pid,
nlcn_msg.proc_ev.event_data.exit.process_tgid,
nlcn_msg.proc_ev.event_data.exit.exit_code);
break;
default:
printf("unhandled proc event\n");
break;
}
}
return 0;
}
static void on_sigint(int unused)
{
need_exit = true;
}
int main(int argc, const char *argv[])
{
int nl_sock;
int rc = EXIT_SUCCESS;
signal(SIGINT, &on_sigint);
siginterrupt(SIGINT, true);
nl_sock = nl_connect();
if (nl_sock == -1)
exit(EXIT_FAILURE);
rc = set_proc_ev_listen(nl_sock, true);
if (rc == -1) {
rc = EXIT_FAILURE;
goto out;
}
rc = handle_proc_ev(nl_sock);
if (rc == -1) {
rc = EXIT_FAILURE;
goto out;
}
set_proc_ev_listen(nl_sock, false);
out:
close(nl_sock);
exit(rc);
}
(gcc -o proc proc.c)
And some info on netlink:
excerpt: http://www.linuxjournal.com/article/7356
Netlink is asynchronous because, as with any other socket API, it provides a socket queue to smooth the burst of messages. The system call for sending a netlink message queues the message to the receiver's netlink queue and then invokes the receiver's reception handler. The receiver, within the reception handler's context, can decide whether to process the message immediately or leave the message in the queue and process it later in a different context. Unlike netlink, system calls require synchronous processing. Therefore, if we use a system call to pass a message from user space to the kernel, the kernel scheduling granularity may be affected if the time to process that message is long.
There's also this interesting announcement for nltrace made recently that you might find interesting as well! http://lists.infradead.org/pipermail/libnl/2013-April/000993.html
There are few tools available which can collect information about a process while it is running.
I suggest you to use perf and systemTap.
https://perf.wiki.kernel.org/index.php/Main_Page
http://sourceware.org/systemtap/SystemTap_Beginners_Guide/index.html
Use "pidof" system command from the procps library .
Very simple and easy to use.
If it returns something then the process is running or vice versa.

Socket handle transfer between independent processes

I am doing some experiments in socket programming(in unix environment). What I am trying is
Client sends request to Server.
Server should send the clients socket to Worker(An Independent process)
Worker should reply back to Client.
Is this possible?
This scenario works if Worker is a child of Server.
If Server and Worker are independent processes does this work?
If yes can somebody give me some ideas about this ?
Is there any samples available for this type of scenario ?
The Linux Programming Interface book has examples for both sending and receiving file descriptors between unrelated processes, using an Unix domain socket.
For fun, I wrote my own examples from scratch. server.c:
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <netdb.h>
#include <signal.h>
#include <string.h>
#include <stdio.h>
#include <errno.h>
/* How many concurrent pending connections are allowed */
#define LISTEN_BACKLOG 32
/* Unix domain socket path length (including NUL byte) */
#ifndef UNIX_PATH_LEN
#define UNIX_PATH_LEN 108
#endif
/* Flag to indicate we have received a shutdown request. */
volatile sig_atomic_t done = 0;
/* Shutdown request signal handler, of the basic type. */
void handle_done_signal(int signum)
{
if (!done)
done = signum;
return;
}
/* Install shutdown request signal handler on signal signum. */
int set_done_signal(const int signum)
{
struct sigaction act;
sigemptyset(&act.sa_mask);
act.sa_handler = handle_done_signal;
act.sa_flags = 0;
if (sigaction(signum, &act, NULL) == -1)
return errno;
else
return 0;
}
/* Return empty, -, and * as NULL, so users can use that
* to bind the server to the wildcard address.
*/
char *wildcard(char *address)
{
/* NULL? */
if (!address)
return NULL;
/* Empty? */
if (!address[0])
return NULL;
/* - or ? or * or : */
if (address[0] == '-' || address[0] == '?' ||
address[0] == '*' || address[0] == ':')
return NULL;
return address;
}
int main(int argc, char *argv[])
{
struct addrinfo hints;
struct addrinfo *list, *curr;
int listenfd, failure;
struct sockaddr_un worker;
int workerfd, workerpathlen;
struct sockaddr_in6 conn;
socklen_t connlen;
struct msghdr connhdr;
struct iovec conniov;
struct cmsghdr *connmsg;
char conndata[1];
char connbuf[CMSG_SPACE(sizeof (int))];
int connfd;
int result;
ssize_t written;
if (argc != 4) {
fprintf(stderr, "\n");
fprintf(stderr, "Usage: %s ADDRESS PORT WORKER\n", argv[0]);
fprintf(stderr, "This creates a server that binds to ADDRESS and PORT,\n");
fprintf(stderr, "and passes each connection to a separate unrelated\n");
fprintf(stderr, "process using an Unix domain socket at WORKER.\n");
fprintf(stderr, "\n");
return (argc == 1) ? 0 : 1;
}
/* Handle HUP, INT, PIPE, and TERM signals,
* so when the user presses Ctrl-C, the worker process cannot be contacted,
* or the user sends a HUP or TERM signal, this server closes down cleanly. */
if (set_done_signal(SIGINT) ||
set_done_signal(SIGHUP) ||
set_done_signal(SIGPIPE) ||
set_done_signal(SIGTERM)) {
fprintf(stderr, "Error: Cannot install signal handlers.\n");
return 1;
}
/* Unix domain socket to the worker */
memset(&worker, 0, sizeof worker);
worker.sun_family = AF_UNIX;
workerpathlen = strlen(argv[3]);
if (workerpathlen < 1) {
fprintf(stderr, "Worker Unix domain socket path cannot be empty.\n");
return 1;
} else
if (workerpathlen >= UNIX_PATH_LEN) {
fprintf(stderr, "%s: Worker Unix domain socket path is too long.\n", argv[3]);
return 1;
}
memcpy(&worker.sun_path, argv[3], workerpathlen);
/* Note: the terminating NUL byte was set by memset(&worker, 0, sizeof worker) above. */
workerfd = socket(AF_UNIX, SOCK_STREAM, 0);
if (workerfd == -1) {
fprintf(stderr, "Cannot create an Unix domain socket: %s.\n", strerror(errno));
return 1;
}
if (connect(workerfd, (const struct sockaddr *)(&worker), (socklen_t)sizeof worker) == -1) {
fprintf(stderr, "Cannot connect to %s: %s.\n", argv[3], strerror(errno));
close(workerfd);
return 1;
}
/* Initialize the address info hints */
memset(&hints, 0, sizeof hints);
hints.ai_family = AF_UNSPEC; /* IPv4 or IPv6 */
hints.ai_socktype = SOCK_STREAM; /* Stream socket */
hints.ai_flags = AI_PASSIVE /* Wildcard ADDRESS */
| AI_ADDRCONFIG /* Only return IPv4/IPv6 if available locally */
| AI_NUMERICSERV /* Port must be a number */
;
hints.ai_protocol = 0; /* Any protocol */
/* Obtain the chain of possible addresses and ports to bind to */
result = getaddrinfo(wildcard(argv[1]), argv[2], &hints, &list);
if (result) {
fprintf(stderr, "%s %s: %s.\n", argv[1], argv[2], gai_strerror(result));
close(workerfd);
return 1;
}
/* Bind to the first working entry in the chain */
listenfd = -1;
failure = EINVAL;
for (curr = list; curr != NULL; curr = curr->ai_next) {
listenfd = socket(curr->ai_family, curr->ai_socktype, curr->ai_protocol);
if (listenfd == -1)
continue;
if (bind(listenfd, curr->ai_addr, curr->ai_addrlen) == -1) {
if (!failure)
failure = errno;
close(listenfd);
listenfd = -1;
continue;
}
/* Bind successfully */
break;
}
/* Discard the chain, as we don't need it anymore.
* Note: curr is no longer valid after this. */
freeaddrinfo(list);
/* Failed to bind? */
if (listenfd == -1) {
fprintf(stderr, "Cannot bind to %s port %s: %s.\n", argv[1], argv[2], strerror(failure));
close(workerfd);
return 1;
}
if (listen(listenfd, LISTEN_BACKLOG) == -1) {
fprintf(stderr, "Cannot listen for incoming connections to %s port %s: %s.\n", argv[1], argv[2], strerror(errno));
close(listenfd);
close(workerfd);
return 1;
}
printf("Now waiting for incoming connections to %s port %s\n", argv[1], argv[2]);
fflush(stdout);
while (!done) {
memset(&conn, 0, sizeof conn);
connlen = sizeof conn;
connfd = accept(listenfd, (struct sockaddr *)&conn, &connlen);
if (connfd == -1) {
/* Did we just receive a signal? */
if (errno == EINTR)
continue;
/* Report a connection failure. */
printf("Failed to accept a connection: %s\n", strerror(errno));
fflush(stdout);
continue;
}
/* Construct the message to the worker process. */
memset(&connhdr, 0, sizeof connhdr);
memset(&conniov, 0, sizeof conniov);
memset(&connbuf, 0, sizeof connbuf);
conniov.iov_base = conndata; /* Data payload to send */
conniov.iov_len = 1; /* We send just one (dummy) byte, */
conndata[0] = 0; /* a zero. */
/* Construct the message (header) */
connhdr.msg_name = NULL; /* No optional address */
connhdr.msg_namelen = 0; /* No optional address */
connhdr.msg_iov = &conniov; /* Normal payload - at least one byte */
connhdr.msg_iovlen = 1; /* Only one vector in conniov */
connhdr.msg_control = connbuf; /* Ancillary data */
connhdr.msg_controllen = sizeof connbuf;
/* Construct the ancillary data needed to pass one descriptor. */
connmsg = CMSG_FIRSTHDR(&connhdr);
connmsg->cmsg_level = SOL_SOCKET;
connmsg->cmsg_type = SCM_RIGHTS;
connmsg->cmsg_len = CMSG_LEN(sizeof (int));
/* Copy the descriptor to the ancillary data. */
memcpy(CMSG_DATA(connmsg), &connfd, sizeof (int));
/* Update the message to reflect the ancillary data length */
connhdr.msg_controllen = connmsg->cmsg_len;
do {
written = sendmsg(workerfd, &connhdr, MSG_NOSIGNAL);
} while (written == (ssize_t)-1 && errno == EINTR);
if (written == (ssize_t)-1) {
const char *const errmsg = strerror(errno);
/* Lost connection to the other end? */
if (!done) {
if (errno == EPIPE)
done = SIGPIPE;
else
done = -1;
}
printf("Cannot pass connection to worker: %s.\n", errmsg);
fflush(stdout);
close(connfd);
/* Break main loop. */
break;
}
/* Since the descriptor has been transferred to the other process,
* we can close our end. */
do {
result = close(connfd);
} while (result == -1 && errno == EINTR);
if (result == -1)
printf("Error closing leftover connection descriptor: %s.\n", strerror(errno));
printf("Connection transferred to the worker process.\n");
fflush(stdout);
}
/* Shutdown. */
close(listenfd);
close(workerfd);
switch (done) {
case SIGTERM:
printf("Terminated.\n");
break;
case SIGPIPE:
printf("Lost connection.\n");
break;
case SIGHUP:
printf("Hanging up.\n");
break;
case SIGINT:
printf("Interrupted; exiting.\n");
break;
default:
printf("Exiting.\n");
}
return 0;
}
and worker.c:
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <netdb.h>
#include <signal.h>
#include <string.h>
#include <stdio.h>
#include <errno.h>
/* How many concurrent pending connections are allowed */
#define LISTEN_BACKLOG 32
/* Unix domain socket path length (including NUL byte) */
#ifndef UNIX_PATH_LEN
#define UNIX_PATH_LEN 108
#endif
/* Flag to indicate we have received a shutdown request. */
volatile sig_atomic_t done = 0;
/* Shutdown request signal handler, of the basic type. */
void handle_done_signal(int signum)
{
if (!done)
done = signum;
return;
}
/* Install shutdown request signal handler on signal signum. */
int set_done_signal(const int signum)
{
struct sigaction act;
sigemptyset(&act.sa_mask);
act.sa_handler = handle_done_signal;
act.sa_flags = 0;
if (sigaction(signum, &act, NULL) == -1)
return errno;
else
return 0;
}
/* Helper function to duplicate file descriptors.
* Returns 0 if success, errno error code otherwise.
*/
static int copy_fd(const int fromfd, const int tofd)
{
int result;
if (fromfd == tofd)
return 0;
if (fromfd == -1 || tofd == -1)
return errno = EINVAL;
do {
result = dup2(fromfd, tofd);
} while (result == -1 && errno == EINTR);
if (result == -1)
return errno;
return 0;
}
int main(int argc, char *argv[])
{
struct sockaddr_un worker;
int workerfd, workerpathlen;
int serverfd, clientfd;
pid_t child;
struct msghdr msghdr;
struct iovec msgiov;
struct cmsghdr *cmsg;
char data[1];
char ancillary[CMSG_SPACE(sizeof (int))];
ssize_t received;
if (argc < 3) {
fprintf(stderr, "\n");
fprintf(stderr, "Usage: %s WORKER COMMAND [ ARGS .. ]\n", argv[0]);
fprintf(stderr, "This creates a worker that receives connections\n");
fprintf(stderr, "from Unix domain socket WORKER.\n");
fprintf(stderr, "Each connection is served by COMMAND, with the\n");
fprintf(stderr, "connection connected to its standard input and output.\n");
fprintf(stderr, "\n");
return (argc == 1) ? 0 : 1;
}
/* Handle HUP, INT, PIPE, and TERM signals,
* so when the user presses Ctrl-C, the worker process cannot be contacted,
* or the user sends a HUP or TERM signal, this server closes down cleanly. */
if (set_done_signal(SIGINT) ||
set_done_signal(SIGHUP) ||
set_done_signal(SIGPIPE) ||
set_done_signal(SIGTERM)) {
fprintf(stderr, "Error: Cannot install signal handlers.\n");
return 1;
}
/* Unix domain socket */
memset(&worker, 0, sizeof worker);
worker.sun_family = AF_UNIX;
workerpathlen = strlen(argv[1]);
if (workerpathlen < 1) {
fprintf(stderr, "Worker Unix domain socket path cannot be empty.\n");
return 1;
} else
if (workerpathlen >= UNIX_PATH_LEN) {
fprintf(stderr, "%s: Worker Unix domain socket path is too long.\n", argv[1]);
return 1;
}
memcpy(&worker.sun_path, argv[1], workerpathlen);
/* Note: the terminating NUL byte was set by memset(&worker, 0, sizeof worker) above. */
workerfd = socket(AF_UNIX, SOCK_STREAM, 0);
if (workerfd == -1) {
fprintf(stderr, "Cannot create an Unix domain socket: %s.\n", strerror(errno));
return 1;
}
if (bind(workerfd, (const struct sockaddr *)(&worker), (socklen_t)sizeof worker) == -1) {
fprintf(stderr, "%s: %s.\n", argv[1], strerror(errno));
close(workerfd);
return 1;
}
if (listen(workerfd, LISTEN_BACKLOG) == -1) {
fprintf(stderr, "%s: Cannot listen for messages: %s.\n", argv[1], strerror(errno));
close(workerfd);
return 1;
}
printf("Listening for descriptors on %s.\n", argv[1]);
fflush(stdout);
while (!done) {
serverfd = accept(workerfd, NULL, NULL);
if (serverfd == -1) {
if (errno == EINTR)
continue;
printf("Failed to accept a connection from the server: %s.\n", strerror(errno));
fflush(stdout);
continue;
}
printf("Connection from the server.\n");
fflush(stdout);
while (!done && serverfd != -1) {
memset(&msghdr, 0, sizeof msghdr);
memset(&msgiov, 0, sizeof msgiov);
msghdr.msg_name = NULL;
msghdr.msg_namelen = 0;
msghdr.msg_control = &ancillary;
msghdr.msg_controllen = sizeof ancillary;
cmsg = CMSG_FIRSTHDR(&msghdr);
cmsg->cmsg_level = SOL_SOCKET;
cmsg->cmsg_type = SCM_RIGHTS;
cmsg->cmsg_len = CMSG_LEN(sizeof (int));
msghdr.msg_iov = &msgiov;
msghdr.msg_iovlen = 1;
msgiov.iov_base = &data;
msgiov.iov_len = 1; /* Just one byte */
received = recvmsg(serverfd, &msghdr, 0);
if (received == (ssize_t)-1) {
if (errno == EINTR)
continue;
printf("Error receiving a message from server: %s.\n", strerror(errno));
fflush(stdout);
break;
}
cmsg = CMSG_FIRSTHDR(&msghdr);
if (!cmsg || cmsg->cmsg_len != CMSG_LEN(sizeof (int))) {
printf("Received a bad message from server.\n");
fflush(stdout);
break;
}
memcpy(&clientfd, CMSG_DATA(cmsg), sizeof (int));
printf("Executing command with descriptor %d: ", clientfd);
fflush(stdout);
child = fork();
if (child == (pid_t)-1) {
printf("Fork failed: %s.\n", strerror(errno));
fflush(stdout);
close(clientfd);
break;
}
if (!child) {
/* This is the child process. */
close(workerfd);
close(serverfd);
if (copy_fd(clientfd, STDIN_FILENO) ||
copy_fd(clientfd, STDOUT_FILENO) ||
copy_fd(clientfd, STDERR_FILENO))
return 126; /* Exits the client */
if (clientfd != STDIN_FILENO &&
clientfd != STDOUT_FILENO &&
clientfd != STDERR_FILENO)
close(clientfd);
execvp(argv[2], argv + 2);
return 127; /* Exits the client */
}
printf("Done.\n");
fflush(stdout);
close(clientfd);
}
close(serverfd);
printf("Closed connection to server.\n");
fflush(stdout);
}
/* Shutdown. */
close(workerfd);
switch (done) {
case SIGTERM:
printf("Terminated.\n");
break;
case SIGPIPE:
printf("Lost connection.\n");
break;
case SIGHUP:
printf("Hanging up.\n");
break;
case SIGINT:
printf("Interrupted; exiting.\n");
break;
default:
printf("Exiting.\n");
}
return 0;
}
You can compile them using
gcc -W -Wall -O3 worker.c -o worker
gcc -W -Wall -O3 server.c -o server
and run using e.g.
rm -f connection
./worker connection /bin/date &
./server 127.0.0.1 8000 connection &
As you can see, the ./worker and ./server processes are completely separate. I recommend starting them from different windows (leaving out the & at the end of the command lines, which otherwise runs the commands at the background). The connection is the path or name of the Unix domain socket used to transfer the network connection file descriptor. The /bin/date is a command (not a shell command, an executable) that will be executed for each connection, with standard input, output and error connected directly to the network client -- very much like inetd or xinetd does, just bare bones.
You can test the connection via e.g.
nc 127.0.0.1 8000
or
telnet 127.0.0.1 8000
The above /bin/date command will just output the current date to standard output, but if you use a bit cleverer worker command, say
rm -f connection
./worker connection printf 'HTTP/1.0 200 Ok\r\nConnection: close\r\nContent-Type: text/html; charset=UTF-8\r\nContent-Length: 67\r\n\r\n<html><head><title>Works</title></head><body>Works!</body></html>\r\n'
you can use your browser (http://127.0.0.1:8000/) to test.
The design is such that worker.c listens to an Unix domain socket (connection in current working directory in all above example commands). It first accepts a connection (from a single server), then expects each incoming byte to be associated with SCM_RIGHTS ancillary data containing the file descriptor referring to the client connection. If there is a problem, or the connection is dropped, it goes back to waiting for a new connection from a server. If it receives a client descriptor, it forks a child process, redirects its standard input, output and error to the client descriptor, and executes the command specified on the ./worker command line. The parent process closes its copy of the client descriptor, and goes back to waiting for a new one.
server.c listens for incoming connections to the IPv4 or IPv6 address and port specified on its command line. When it gets a connection, it transfers the connected file descriptor to above worker.c process via the Unix domain socket specified on the command line (connection), closes its own copy, and goes back to waiting for a new connection. Note that if the server loses the connection to the worker, it aborts; you'll want to start ./worker always before the ./server.
Both server.c and worker.c install simple signal handlers so that you can tell them to exit by sending them a HUP or INT signal (Ctrl-C, if you run the commands in the foreground in separate terminals or shells). They also have reasonable error checking, so when they exit, they tell you exactly why. To be honest, I did it because that way you WILL receive EINTR errors occasionally, and unless you treat them correctly (retrying the relevant syscalls unless asked to exit), your processes will be fragile, and crash from the slightest changes in conditions. Be robust; it's not that hard, and the results are much more user/sysadmin-friendly.
I hope you find the code interesting. I'd be happy to elaborate, if you have any questions on the details. Just remember that I wrote it from scratch in very little time, and it is only intended as a simple example. There is a lot of room for improvement.
UNIX socket is used to pass file descriptors between processes.
According to this post it should be possible. You need some way (pipes or sockets come to mind) to let your worker process know the sockets handle.
Unfortunately, I am not experienced with unix programming, so I cannot give you more concrete info.

How to detect if the current process is being run by GDB

The standard way would be the following:
if (ptrace(PTRACE_TRACEME, 0, NULL, 0) == -1)
printf("traced!\n");
In this case, ptrace returns an error if the current process is traced (e.g., running it with GDB or attaching to it).
But there is a serious problem with this: if the call returns successfully, GDB may not attach to it later. Which is a problem since I'm not trying to implement anti-debug stuff. My purpose is to emit an 'int 3' when a condition is met (e.g., an assert fails) and GDB is running (otherwise I get a SIGTRAP which stops the application).
Disabling SIGTRAP and emitting an 'int 3' every time is not a good solution because the application I'm testing might be using SIGTRAP for some other purpose (in which case I'm still screwed, so it wouldn't matter, but it's the principle of the thing :))
On Windows there is an API, IsDebuggerPresent, to check if process is under debugging. At Linux, we can check this with another way (not so efficient).
Check "/proc/self/status" for "TracerPid" attribute.
Example code:
#include <sys/stat.h>
#include <string.h>
#include <fcntl.h>
#include <unistd.h>
#include <ctype.h>
bool debuggerIsAttached()
{
char buf[4096];
const int status_fd = open("/proc/self/status", O_RDONLY);
if (status_fd == -1)
return false;
const ssize_t num_read = read(status_fd, buf, sizeof(buf) - 1);
close(status_fd);
if (num_read <= 0)
return false;
buf[num_read] = '\0';
constexpr char tracerPidString[] = "TracerPid:";
const auto tracer_pid_ptr = strstr(buf, tracerPidString);
if (!tracer_pid_ptr)
return false;
for (const char* characterPtr = tracer_pid_ptr + sizeof(tracerPidString) - 1; characterPtr <= buf + num_read; ++characterPtr)
{
if (isspace(*characterPtr))
continue;
else
return isdigit(*characterPtr) != 0 && *characterPtr != '0';
}
return false;
}
The code I ended up using was the following:
int
gdb_check()
{
int pid = fork();
int status;
int res;
if (pid == -1)
{
perror("fork");
return -1;
}
if (pid == 0)
{
int ppid = getppid();
/* Child */
if (ptrace(PTRACE_ATTACH, ppid, NULL, NULL) == 0)
{
/* Wait for the parent to stop and continue it */
waitpid(ppid, NULL, 0);
ptrace(PTRACE_CONT, NULL, NULL);
/* Detach */
ptrace(PTRACE_DETACH, getppid(), NULL, NULL);
/* We were the tracers, so gdb is not present */
res = 0;
}
else
{
/* Trace failed so GDB is present */
res = 1;
}
exit(res);
}
else
{
waitpid(pid, &status, 0);
res = WEXITSTATUS(status);
}
return res;
}
A few things:
When ptrace(PTRACE_ATTACH, ...) is successful, the traced process will stop and has to be continued.
This also works when GDB is attaching later.
A drawback is that when used frequently, it will cause a serious slowdown.
Also, this solution is only confirmed to work on Linux. As the comments mentioned, it won't work on BSD.
You could fork a child which would try to PTRACE_ATTACH its parent (and then detach if necessary) and communicates the result back. It does seem a bit inelegant though.
As you mention, this is quite costly. I guess it's not too bad if assertions fail irregularly. Perhaps it'd be worthwhile keeping a single long-running child around to do this - share two pipes between the parent and the child, child does its check when it reads a byte and then sends a byte back with the status.
I had a similar need, and came up with the following alternatives
static int _debugger_present = -1;
static void _sigtrap_handler(int signum)
{
_debugger_present = 0;
signal(SIGTRAP, SIG_DFL);
}
void debug_break(void)
{
if (-1 == _debugger_present) {
_debugger_present = 1;
signal(SIGTRAP, _sigtrap_handler);
raise(SIGTRAP);
}
}
If called, the debug_break function will only interrupt if a debugger is attached.
If you are running on x86 and want a breakpoint which interrupts in the caller (not in raise), just include the following header, and use the debug_break macro:
#ifndef BREAK_H
#define BREAK_H
#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
int _debugger_present = -1;
static void _sigtrap_handler(int signum)
{
_debugger_present = 0;
signal(SIGTRAP, SIG_DFL);
}
#define debug_break() \
do { \
if (-1 == _debugger_present) { \
_debugger_present = 1; \
signal(SIGTRAP, _sigtrap_handler); \
__asm__("int3"); \
} \
} while(0)
#endif
I found that a modified version of the file descriptor "hack" described by Silviocesare and blogged by xorl worked well for me.
This is the modified code I use:
#include <stdio.h>
#include <unistd.h>
// gdb apparently opens FD(s) 3,4,5 (whereas a typical prog uses only stdin=0, stdout=1,stderr=2)
int detect_gdb(void)
{
int rc = 0;
FILE *fd = fopen("/tmp", "r");
if (fileno(fd) > 5)
{
rc = 1;
}
fclose(fd);
return rc;
}
If you just want to know whether the application is running under GDB for debugging purposes, the simplest solution on Linux is to readlink("/proc/<ppid>/exe"), and search the result for "gdb".
This is similar to terminus' answer, but uses pipes for communication:
#include <unistd.h>
#include <stdint.h>
#include <sys/ptrace.h>
#include <sys/wait.h>
#if !defined(PTRACE_ATTACH) && defined(PT_ATTACH)
# define PTRACE_ATTACH PT_ATTACH
#endif
#if !defined(PTRACE_DETACH) && defined(PT_DETACH)
# define PTRACE_DETACH PT_DETACH
#endif
#ifdef __linux__
# define _PTRACE(_x, _y) ptrace(_x, _y, NULL, NULL)
#else
# define _PTRACE(_x, _y) ptrace(_x, _y, NULL, 0)
#endif
/** Determine if we're running under a debugger by attempting to attach using pattach
*
* #return 0 if we're not, 1 if we are, -1 if we can't tell.
*/
static int debugger_attached(void)
{
int pid;
int from_child[2] = {-1, -1};
if (pipe(from_child) < 0) {
fprintf(stderr, "Debugger check failed: Error opening internal pipe: %s", syserror(errno));
return -1;
}
pid = fork();
if (pid == -1) {
fprintf(stderr, "Debugger check failed: Error forking: %s", syserror(errno));
return -1;
}
/* Child */
if (pid == 0) {
uint8_t ret = 0;
int ppid = getppid();
/* Close parent's side */
close(from_child[0]);
if (_PTRACE(PTRACE_ATTACH, ppid) == 0) {
/* Wait for the parent to stop */
waitpid(ppid, NULL, 0);
/* Tell the parent what happened */
write(from_child[1], &ret, sizeof(ret));
/* Detach */
_PTRACE(PTRACE_DETACH, ppid);
exit(0);
}
ret = 1;
/* Tell the parent what happened */
write(from_child[1], &ret, sizeof(ret));
exit(0);
/* Parent */
} else {
uint8_t ret = -1;
/*
* The child writes a 1 if pattach failed else 0.
*
* This read may be interrupted by pattach,
* which is why we need the loop.
*/
while ((read(from_child[0], &ret, sizeof(ret)) < 0) && (errno == EINTR));
/* Ret not updated */
if (ret < 0) {
fprintf(stderr, "Debugger check failed: Error getting status from child: %s", syserror(errno));
}
/* Close the pipes here, to avoid races with pattach (if we did it above) */
close(from_child[1]);
close(from_child[0]);
/* Collect the status of the child */
waitpid(pid, NULL, 0);
return ret;
}
}
Trying the original code under OS X, I found waitpid (in the parent) would always return -1 with an EINTR (System call interrupted). This was caused by pattach, attaching to the parent and interrupting the call.
It wasn't clear whether it was safe to just call waitpid again (that seemed like it might behave incorrectly in some situations), so I just used a pipe to do the communication instead. It's a bit of extra code, but will probably work reliably across more platforms.
This code has been tested on OS X v10.9.3 (Mavericks), Ubuntu 14.04 (Trusty Tahr) (3.13.0-24-generic) and FreeBSD 10.0.
For Linux, which implements process capabilities, this method will only work if the process has the CAP_SYS_PTRACE capability, which is typically set when the process is run as root.
Other utilities (gdb and lldb) also have this capability set as part of their filesystem metadata.
You can detect whether the process has effective CAP_SYS_PTRACE by linking against -lcap,
#include <sys/capability.h>
cap_flag_value_t value;
cap_t current;
/*
* If we're running under Linux, we first need to check if we have
* permission to to ptrace. We do that using the capabilities
* functions.
*/
current = cap_get_proc();
if (!current) {
fprintf(stderr, "Failed getting process capabilities: %s\n", syserror(errno));
return -1;
}
if (cap_get_flag(current, CAP_SYS_PTRACE, CAP_PERMITTED, &value) < 0) {
fprintf(stderr, "Failed getting permitted ptrace capability state: %s\n", syserror(errno));
cap_free(current);
return -1;
}
if ((value == CAP_SET) && (cap_get_flag(current, CAP_SYS_PTRACE, CAP_EFFECTIVE, &value) < 0)) {
fprintf(stderr, "Failed getting effective ptrace capability state: %s\n", syserror(errno));
cap_free(current);
return -1;
}
C++ version of Sam Liao's answer (Linux only):
// Detect if the application is running inside a debugger.
bool being_traced()
{
std::ifstream sf("/proc/self/status");
std::string s;
while (sf >> s)
{
if (s == "TracerPid:")
{
int pid;
sf >> pid;
return pid != 0;
}
std::getline(sf, s);
}
return false;
}

Resources